Legal

Privacy Policy

Last updated: April 2026

Contents

Mind Renew is a mental health platform connecting clients with licensed therapists trained in Internal Family Systems (IFS) and Compassion-Focused Therapy (CFT). Because we handle sensitive health-related information, we take data protection seriously. This policy explains what we collect, why, how long we keep it, and what rights you have.

Mind Renew is operated by Laurentiu Construct, registered in Portugal. For data protection matters, contact us at info@mind-renew.com.

1.The nature of the data we process

Mind Renew processes special category data under Article 9 of the GDPR. Mental health information — including session content, clinical notes, mood logs, and assessment responses — is health data under EU law. We process this data only with your explicit consent and under strict confidentiality obligations.

2.Who this policy applies to

Clientsindividuals using the platform to access therapy
Therapistslicensed practitioners using the platform to deliver therapy
Visitorsanyone browsing the Mind Renew website

3.Data we collect and why

Account data (all users)

WhatName, email address, password (encrypted), role, preferred language, timezone.
WhyTo create and manage your account and provide access to the platform.
BasisPerformance of contract (Article 6(1)(b)).

Client data

WhatAssigned therapist, session credits remaining, package status, intake booking details.
WhyTo manage your therapy relationship and track session entitlements.
BasisPerformance of contract (Article 6(1)(b)).

Health and clinical data

WhatSession notes written by your therapist, notes you write yourself, mood logs, assessment responses, and any clinical information shared during sessions.
WhyTo support your therapeutic process and enable continuity of care.
BasisExplicit consent (Article 9(2)(a)). You provide this consent through the GDPR consent gate before accessing the platform. You may withdraw consent at any time by contacting us, though this may affect your ability to use the platform.
Therapist session notes are accessible only to your therapist. Your own notes are accessible only to you. Neither party can access the other's notes unless explicitly shared.

Session data

WhatSession date and time, Whereby video room URL, session status, booking history.
WhyTo schedule, deliver, and record the completion of therapy sessions.
BasisPerformance of contract (Article 6(1)(b)).

Secure messages

WhatMessages exchanged between you and your therapist within the platform.
WhyTo enable secure clinical communication between sessions.
BasisExplicit consent (Article 9(2)(a)) and performance of contract (Article 6(1)(b)). Messages are only visible to the sender and recipient.

Payment data

WhatPackage type, amount paid, invoice records, Stripe payment identifiers. We do not store full card numbers — payment processing is handled by Stripe.
WhyTo process payments, issue invoices, and maintain financial records.
BasisPerformance of contract (Article 6(1)(b)) and legal obligation (Article 6(1)(c)) for tax and invoicing records.

Consent records

WhatRecord of GDPR consent and therapy agreement, including timestamp and IP address.
WhyTo demonstrate that consent was freely given, specific, and informed, as required by law.
BasisLegal obligation (Article 6(1)(c)).

Therapist profile and credential data

WhatProfessional biography, languages, therapeutic approaches, profile photo, license number, license body, years of experience, diploma, license certificate, and insurance certificate.
WhyTo verify qualifications, publish your public profile, and maintain clinical integrity standards.
BasisPerformance of contract (Article 6(1)(b)) and legitimate interests (Article 6(1)(f)) for verification purposes.

Therapist application data

WhatApplication form responses, credential documents, and review outcome.
WhyTo assess applications from prospective therapists.
BasisLegitimate interests (Article 6(1)(f)).

Usage data

WhatIP address, browser type, pages visited, time on page.
WhyTo maintain platform security and monitor for technical issues.
BasisLegitimate interests (Article 6(1)(f)).

4.Data processors

We use the following third-party services to operate the platform. Each is bound by data processing agreements. We do not sell your data to third parties. We do not use your data for advertising.

ProcessorPurposeLocation
Supabase Inc.Database, authentication, file storageEU region (Frankfurt)
Whereby ASVideo session infrastructureNorway (EEA)
Resend Inc.Transactional email deliveryUSA — Standard Contractual Clauses apply
Stripe Inc.Payment processingIreland (EU) / USA — SCCs apply for US operations

5.International data transfers

Resend and Stripe may process data outside the European Economic Area. Where this occurs, transfers are protected by Standard Contractual Clauses approved by the European Commission under Article 46 GDPR. You may request a copy of applicable safeguards by contacting us.

6.How long we keep your data

Data typeRetention period
Account dataDuration of account, plus 30 days after deletion request
Clinical notes and session data5 years from last session, in line with Portuguese clinical record obligations
Mood logs and assessment responsesDuration of active therapy relationship, then deleted on request
MessagesDuration of active therapy relationship, then deleted on request
Payment records and invoices10 years, as required by Portuguese tax law
Consent records10 years from date of consent
Therapist application data (rejected)6 months from decision
Therapist credential documentsDuration of active therapist status, plus 1 year
Usage data90 days

7.Your rights

Under the GDPR, you have the following rights. To exercise any of these rights, contact us at info@mind-renew.com. We will respond within 30 days.

Accessrequest a copy of the personal data we hold about you
Rectificationcorrect inaccurate data
Erasurerequest deletion of your data, subject to legal retention obligations
Restrictionask us to pause processing while a dispute is resolved
Portabilityreceive your data in a structured, machine-readable format
Objectionobject to processing based on legitimate interests
Withdraw consentwhere processing is based on consent, you may withdraw at any time

If you are not satisfied with our response, you have the right to lodge a complaint with the Portuguese data protection authority: CNPD — Comissão Nacional de Proteção de Dados · www.cnpd.pt · +351 213 928 400

8.Children

Our platform is intended for adults. We do not knowingly collect data from individuals under the age of 16. In Portugal and across the EU, 16 is the minimum age for digital consent under GDPR. If we become aware that a person under 16 has created an account, we will delete their data promptly.

9.Security

All data is stored on Supabase's EU-region infrastructure. The platform uses row-level security to ensure users can only access their own data. Connections are encrypted in transit using TLS. Therapist credential documents are stored in a private, access-controlled storage bucket. Payments are processed by Stripe and card data never passes through our servers. No method of transmission over the internet is completely secure. We cannot guarantee absolute security, but we maintain commercially appropriate technical and organisational measures.

10.Cookies

We use only essential cookies required for authentication and session management. We do not use advertising or tracking cookies. A separate Cookie Policy is available at mind-renew.com/cookie-policy.

11.Changes to this policy

We will notify you of material changes by email and by updating the date at the top of this page. We encourage you to review this policy periodically.

12.Contact

For any questions about this policy or your personal data, contact us at info@mind-renew.com or through our contact page.